on 07-07-2011 6:27 AM
Dear Expert ,
Any idea where we can maintain Detour configuration in GRC AC 10 .
In MSMP i can see route mapping but not sure if this is place where i need cinfigure detour as it doenot have option to set detour condition .
Thanks & Regards
Asheesh
Hi Asheesh ,
In 5th stage of workflow configuration , 'Maintain Paths' . You can activate routing and assign a routing rule to a stage .
To create new routing rule you can use BRF+ or Function modules and configure these rules in workflow configuration .
Hope this helps .
Best Regards,
Aman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Amanjit
At maintain path in MSMP , at stage level I can see Routing enable option with Rule ids like SOD violation and no roleowner check ...... ect .
Do you mean the same option ?
I am wonderining if we still have option to set condition like " SOD violation found/not found " like GRC Ac 5.3 .
Also where i need to define stage that detour path need to take once detour condition is met .
Thanks a lot for your help .
Best Regards
Asheeh
Hi Asheesh,
As of now SAP is not supporting routing/detour paths created using BRF. For solving your purpose of detour path during SOD violation you can use standard function module rule "GRAC_MSMP_DETOUR_SODVIOL". This will solve your purpose.
1. Create the iniator workflow
2. Make risk analysis mandatory in any stage and in same stage click on "Routing enabled" >Show details> Rule Id: GRAC_MSMP_DETOUR_SODVIOL and Rule result set "SODVIOL_DETOUR_PATH".
3. Create a path and route for SODVIOL_DETOUR_PATH ruleset.
Please let me know if you have more queries.
Regards
Rajan Arora
Hi Rajan,
I have configured workflow same as you mentioned,because my scenario is exactly same as asheesh scenario..
at the security stage (2nd stage of path) security admin need to run risk analysis,and if any violations occur then the request should detour to internal control team for creating / recomending any mitigation control id..and after they approve the same request must come to security admin to manually provision the role..
But in my case ..security admin after running the risk analysis,when he get the sod violations the request is not detouring to another path..even though routing enabled at security stage...
Please let me know one thing..when SOD violations occur at security stage..the request will automatically routed to another specified path..or the security admin need to select and press any buttons like approve or reject etc., when i click approve at this security stage the request is closing and role is assigning automatically at the back end system even though it has SOD violations..
Please suggest...
Regards,
Ravi.
Hi Ravi
Detour path only take once request is approved or rejected .Make sure in stage setting detour is reflected in both "Modify" and "modify setting " .Some time done at one place will reflect setting .
Also u need to map SOD detour condition to path in step maintain routing .
Hope this help .
Thanks & Regards
Asheesh
Hi Asheesh/Rajan
Do I need to run the risk analysis to make the default path to take the detour path & Once I correct and approve at the compliance stage in detour path will it automatically come back to the role owner stage from where actually it got detoured? Or do I need to Approve/Reject at Role owner stage in order to activate the detour workflow.
Regards
Pradeep
Dear Anjan,
I also followed your instructions, many thanks for the clear explanation.
I did not use the standard detour rule, but created an (for now) identical, custom one: ZGRAC_MSMP_DETOUR_SODVIOL.
Unfortunately I get an error when generating the new MSMP version: "Rule with ID ZGRAC_MSMP_DETOUR_SODVIOL does not exist for rule type 1". And then the next error states "Rule ID ZGRAC_MSMP_DETOUR_SODVIOL (rule type F) is not compatible with process type".
Do you have an idea what is causing the error to be thrown? I have double checked that the new rule is defined for the process type SAP_GRAC_AR, that the rule kind is Routing Rule and that the rule type is Functional Module Based Rule.
Thanks in advance.
Kind regards,
EM
There is a way to trigger detour path only if Risk Level is High or Critical.?
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
IN ARQ approver performs risk violation check. If violation is found then workflow is routed (detour) to risk owner. Is there a way to activate detour for high risks only. Low and medium risks should not go to detour path.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi.
Guys, do you know how can i create a SoD detour for roles?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Magaly
I think you are talking about workflow in ERM ,where while creating role you can trigger a workflow .
As per my knowledge you cannot have Detour there .
Detour path is only possible from CUP when predefined condition are met and request cannot proceed on predefined path .
Thanks & Regards
Asheesh
Thanks rajan and amanjit, its working with solution provided by you .
Thanks & Regards
Asheesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Asheesh,
Can you confirm whether you fixed the issue. Routing works only if we reject the request ??
I have following scenario
1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow
2. SoDs found >> Role Owner approval and then Security team approval after this userid will be created and assign the access
I have configured as below
Maintain Paths
1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage
2. ZGRAC_NO_SOD_PATH . .with stage as role owner only
Maintain Route Mapping
1. Map GRAC_DEFUALT_result to Default_path
2. Map GRAC_MSMP_DETOUR_SODVIOL to Defualt Path again for any SOD violations
3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH
Workflow is working perfectly for Scenario# where SoD exist
But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access
I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.